1. Field of the Invention
The present invention relates to mobile communication's access authentication, especially to the HRPD (High Rate Packet Data), EV/DO, network access authentication method based on CAVE (Cellular Authentication and Voice Encryption) algorithm.
2. Description of the Prior Art
CDMA2000 1X network has been widely applied commercially over the world. In this kind of network, the Challenge Handshake Authentication Protocol (hereinafter referred to simply as CHAP) based on CAVE algorithm has been adopted to identify the validity of the access terminals. This authentication system has comparatively perfect methods for protecting from illegal attack. A mobile station's (hereinafter referred to simply as MS) privacy key (A-key) and the CAVE algorithm (hereinafter referred to simply as CAVE) are stored in the mobile station and the 1x network's authentication center respectively.
The authentication process mainly includes such two procedures as the updating of shared secret data (SSD) and the performing of authentication. Part A of the shared secret data (SSD_A) is used for access authentication. According to specific conditions, the network sends a message including a segment of random numbers to an MS and the authentication center respectively, in order to update the SSD_A data. After the message is received by the MS and the authentication center respectively, the included random numbers, the A-key and other parameters are together input into the “SSD_GENEREATION PROCEDURE” so as to generate a new SSD_A after calculation. After validity identification, the new SSD_A takes the place of the old one and will be used as the privacy key for access authentication. When an authentication is needed to be done on a subscriber terminal, the network sends the authentication request message to the MS and the authentication center including a segment of random numbers. After the message is received by the MS and the authentication center respectively, the authentication result will be worked out by using the random numbers included in the message, the SSD_A and other parameters to be input into the CAVE algorithm. The MS sends the authentication result to the authentication center. By comparing the similarities and differences between the authentication results, the authentication can be identified as valid or not. To prevent any vicious users from stealing the subscriber' keys, SSD_A (which is used as the temporary privacy key) can be updated frequently. Therefore, this authentication mode has very high level of security. In practice, the A-key can be located in two modes. One is that it is stored in the MS, and corresponding CAVE algorithm is also implemented in the MS. In this case, it is called a host-card-not-separated mobile station; the other is that the A-key is stored in the User Identity Module (hereinafter referred to as the UIM card), and the corresponding CAVE algorithm is also implemented in the UIM card. In this case, it can be called a host-card-separated (removable UIM card) MS. At present, only the host-card-separated MS is available in China, whereas the host-card-not-separated MS is available in most foreign countries. HRPD network is the upgrade one of CDMA2000 1X network and has been gradually adopted in commercial application all over the world. In practical commercial application, the HRPD network generally shares the same packet data core network (which is mainly composed of the PDSN and the AAA) with the CDMA2000 1X network. As prescribed in the corresponding specifications of the 3G Partnership Project 2 (hereinafter referred to simply as 3GPP2), if the access authentication is adopted by the HRPD network, the authentication mode should also be the CHAP authentication one, but no detailed encryption algorithm is specified explicitly, which can be specified by the specific operator. Just like the CDMA2000 1X network, by the location where the privacy key is stored, HRPD's access terminals (referred to simply as AT) can be also divided into such two kinds as host-card-separated AT and host-card-not-separated AT.
Both HRPD network and the CDMA2000 1x network are independent one another. No information exchanges between them except that they share the same packet data core network. Because the HRPD network mainly provides subscribers with data service, the subscribers can enjoy the services through the dual-mode terminals that support both CDMA2000 1x network and the HRPD network, and this kind of subscribers are the main subscribers group of HRPD network. In practice, normally, it is provided a voice service/data service by means of the CDMA2000 1x network and a high-speed packet data service by means of the HRPD network. Therefore, the dual-mode terminals that support not only the CDMA2000 1x network but also the HRPD network will take up a sizable share. Because CDMA2000 1x network is generally established ahead of the HRPD network, the existing MSs in CDMA2000 1x network, whether the host-card-separated MS or the host-card-not-separated MS, support only the CAVE algorithm during the authentication process. In order to support the dual-mode operation, the MSs must be upgraded to support not only the CAVE algorithm but also the HRPD network's access authentication algorithms like the MD5 algorithm. For example, for a host-card-separated terminal, its UIM card is needed to be upgraded to a multi-mode one so as to support both the two kinds of authentication. Because of a great deal of subscribers, it takes a great deal cost to upgrade the UIM card, and brings an inconvenience to the subscriber.
Accordingly, on the premise that the CDMA2000 1x network has been launched into operation and possesses a lot of subscribers, how to realize the dual-mode terminal's access authentication with a minimal cost is a challenge to the HRPD network construction.
It is needed that the existing removable UIM card, which has CAVE algorithm, can be used for hybrid HRPD terminal (cdma2000 1x and HRPD dual mode terminal) to authenticate the terminal with an AN-AAA server that have the CAVE algorithm.